AV終結者新變種

分析報告

File: pmovrao.exe

Size: 26816 bytes

MD5: 8A43F7A2EB37728D5D808C4E72B65242

SHA1: A61CB036BC9A851A61E79F815A688DC04603C509

CRC32: 2B59AD2F

運行後在C:\Program Files\Common Files\Microsoft Shared

和C:\Program Files\Common Files\System下面分別生成兩個隨機7位字母組合成的exe

我此次測試是C:\Program Files\Common Files\System\gamkqme.exe和

C:\Program Files\Common Files\Microsoft Shared\vdiwghf.exe

C:\Program Files\meex.exe

C:\Program Files\syuhxcx.inf（隨機7位字母組合）

刪除C:\WINDOWS\system32\verclsid.exe

遍歷D~Z分區 在根目錄下生成

autorun.inf和隨機7位字母組合成的exe（我這裡是pmovrao.exe）

右鍵選單無變化

檢測有無如下檔案

如果有將其改名為隨機7位字母

各個分區下面的autorun.inf

MSInfo\wniapsvr.exe

MSInfo\Shell.exe

MSInfo\Shell.pci

system32\progmon.exe

system32\internt.exe

Web\css.css

Com\lsass.exe

IME\svchost.exe

IME\smss.exe

Debug\debug.exe

Common Files\svchost.cnc

Common Files\Relive.dll

Internet Explorer\msvcrt.dll

Internet Explorer\PLUGINS\SysWin64.Jmp

Internet Explorer\PLUGINS\SysWin64.Sys

Internet Explorer\PLUGINS\SysWin64.Tao

將HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess

HKLM\SYSTEM\CurrentControlSet\Services\helpsvc

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv

的啟動選項改成 已禁用

刪除

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

破壞安全模式

修改

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

值為0x00000000 破壞顯示隱藏檔案

更改C:\Program Files\Common Files\Microsoft Shared

C:\Program Files\Common Files\System的屬性 為隱藏

添加如下IFEO值

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe

指向C:\Program Files\Common Files\Microsoft Shared 下面的隨機7位字母的exe

監視並關閉如下進程

avp.com

avp.exe

runiep.exe

PFW.exe

FYFireWall.exe

rfwmain.exe

rfwsrv.exe

KAVPF.exe

KPFW32.exe

nod32kui.exe

nod32.exe

Navapsvc.exe

Navapw32.exe

avconsol.exe

webscanx.exe

NPFMntor.exe

vsstat.exe

KPfwSvc.exe

RavTask.exe

Rav.exe

RavMon.exe

mmsk.exe

WoptiClean.exe

QQKav.exe

QQDoctor.exe

EGHOST.exe

360Safe.exe

iparmo.exe

adam.exe

IceSword.exe

360rpt.exe

360tray.exe

AgentSvr.exe

AppSvc32.exe

autoruns.exe

avgrssvc.exe

AvMonitor.exe

CCenter.exe

ccSvcHst.exe

FileDsty.exe

FTCleanerShell.exe

HijackThis.exe

Iparmor.exe

isPwdSvc.exe

kabaload.exe

KaScrScn.SCR

KASMain.exe

KASTask.exe

KAV32.exe

KAVDX.exe

KAVPFW.exe

KAVSetup.exe

KAVStart.exe

KISLnchr.exe

KMailMon.exe

KMFilter.exe

KPFW32X.exe

KPFWSvc.exe

KRegEx.exe

KRepair.com

KsLoader.exe

KVCenter.kxp

KvDetect.exe

KvfwMcl.exe

KVMonXP.kxp

KVMonXP_1.kxp

kvol.exe

kvolself.exe

KvReport.kxp

KVScan.kxp

KVSrvXP.exe

KVStub.kxp

kvupload.exe

kvwsc.exe

KvXP.kxp

KvXP_1.kxp

KWatch.exe

KWatch9x.exe

KWatchX.exe

loaddll.exe

MagicSet.exe

mcconsol.exe

mmqczj.exe

nod32krn.exe

PFWLiveUpdate.exe

QHSET.exe

RavMonD.exe

RavStub.exe

RegClean.exe

rfwcfg.exe

RfwMain.exe

RsAgent.exe

Rsaupd.exe

safelive.exe

scan32.exe

shcfg32.exe

SmartUp.exe

SREng.EXE

symlcsvc.exe

SysSafe.exe

TrojanDetector.exe

Trojanwall.exe

TrojDie.kxp

UIHost.exe

UmxAgent.exe

UmxAttachment.exe

UmxCfg.exe

UmxFwHlp.exe

UmxPol.exe

UpLive.exe

upiea.exe

AST.exe

ArSwp.exe

USBCleaner.exe

rstrui.exe

過濾如下“關鍵字”

如果這些在視窗出現的話，那么會被關閉

木馬

木馬

病毒

防毒

防毒

查毒

防毒

專殺

專殺

卡巴

江民

瑞星

毒霸

惡意軟體

流氓軟體

上報

QQ安全

舉報

報警

殺軟

殺軟

防殺

防殺

專 殺（這就是金山的專殺不能啟動的原因，關鍵字也被過濾了）

360安全

QQ醫生

進程

System

Microsoft Shared

微點

上報

舉報

進程

Process

Virus

Trojan

連線網路 下載木馬和流氓軟體

http://www.xxxxx.com/soft/fox/GameSetup.exe

http://www.xxxxx.com/soft/fox/Setup.exe

到program files下面 分別命名為1AGameSetup.exe

和2BSetup.exe

兩個分別是木馬和流氓軟體的安裝包

木馬和流氓軟體植入完畢後生成如下檔案（包括但不限於）

C:\WINDOWS\system32\drivers\809igndb.sys

C:\WINDOWS\system32\drivers\acpidisk.sys

C:\WINDOWS\system32\drivers\iExplorer.exe

C:\WINDOWS\system32\drivers\kz0q8id6.sys

C:\WINDOWS\system32\1b1.dll

C:\WINDOWS\system32\60e41.exe

C:\WINDOWS\system32\ad_2201.exe

C:\WINDOWS\system32\b601.dll

C:\WINDOWS\system32\bnkgqpadwh.dll

C:\WINDOWS\system32\mprmsgse.axz

C:\WINDOWS\system32\mscpx32r.det

C:\WINDOWS\031.bmp

C:\WINDOWS\3fa1.exe

C:\WINDOWS\716dairx.exe

C:\WINDOWS\716daiwm.exe

C:\WINDOWS\716daiwow.exe

C:\WINDOWS\716daizx.exe

C:\WINDOWS\716dgj.exe

C:\WINDOWS\716dwl.exe

C:\WINDOWS\ad_2201.exe

C:\WINDOWS\boolan95.exe

C:\WINDOWS\dodolook386.exe

C:\WINDOWS\fa7c1.txt

C:\WINDOWS\kulionrx.dll

C:\WINDOWS\kulionrx.exe

C:\WINDOWS\kulionwl.dll

C:\WINDOWS\kulionwm.dll

C:\WINDOWS\kulionzx.dll

C:\WINDOWS\kulionzx.exe

C:\WINDOWS\my_70087.exe

C:\WINDOWS\video.dll

C:\WINDOWS\winow.dll

C:\WINDOWS\winow.exe

C:\WINDOWS\winwl.exe

C:\WINDOWS\winwm.exe

C:\WINDOWS\wmsj.exe

C:\WINDOWS\齊看網Setup2.exe

C:\Program Files\1AGameSetup.exe

C:\Program Files\2BSetup.exe

C:\PROGRA~1\yxry

C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll

裡面包括一些流氓軟體和盜號木馬

sreng日誌表現如下

服務

[Windows dcwd RunThem / dcwd][Running/Auto Start]

<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\yxry\ihbi.dll>< >

[Fax 2Client / ms_2fax][Running/Auto Start]

<C:\WINDOWS\system32\60e41.exe><N/A>

驅動程式

[809ignd / 809igndb][Running/Boot Start]

<\SystemRoot\System32\DRIVERS\809igndb.sys><N/A>

[acpidisk / acpidisk][Running/Auto Start]

<\??\C:\WINDOWS\system32\drivers\acpidisk.sys><N/A>

[kz0q8id6 / kz0q8id6][Running/Auto Start]

<\??\C:\WINDOWS\system32\drivers\kz0q8id6.sys><N/A>

瀏覽器載入項

[Info cache]

{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, 金泰豐(廣州)科

技有限公司>

[ff Class]

{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\b601.dll, TODO: <公司名>>

解決方法

清理病毒主程式

由於相關專殺已經失效，所以只能手動查殺

1.下載Icesword這個軟體

http://www.ttian.net/website/2005/0829/391.html

解壓後

把Icesword.exe改名 運行

點擊 選單欄 檔案>設定 鉤選 禁止進執行緒創建 確定

查看視窗中 單擊 進程 查找有無C:\Program Files\Common Files\Microsoft Shared

和C:\Program Files\Common Files\System下面的隨機7位字母的進程（記住他們的名字）

如果有分別結束他們

另外如果裝有瑞星防火牆 需要結束rfwsrv.exe進程

然後 點擊 點擊 選單欄 檔案>設定 去掉 禁止進執行緒創建的鉤 確定

還是Icesword這個軟體 單擊左下角的檔案按鈕

找到剛才C:\Program Files\Common Files\Microsoft Shared

和C:\Program Files\Common Files\System的 兩個隨機7位字母的exe 分別右鍵 刪除他們

另外還需要刪除如下檔案

C:\Program Files\meex.exe

C:\Program Files\syuhxcx.inf（隨機7位字母組合）

以及各個分區下面的autorun.inf和隨機7位字母組合成的exe（一定不要忘記這步）

2.下載sreng

http://download.kztechs.com/files/sreng2.zip

運行 啟動項目 註冊表 刪除所有紅色的IFEO項目

刪除[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]下面的隨機7位字母啟動項目

本次測試為如下鍵值

<syuhxcx><C:\Program Files\Common Files\System\gamkqme.exe> []

<pmovrao><C:\Program Files\Common Files\Microsoft Shared\vdiwghf.exe> []

sreng 修復>Windows shell/IE 選中 顯示隱藏檔案 單擊 下面的修復

sreng 修復>高級修復>修復安全模式 在彈出的視窗中點擊 是

清理下載的木馬和流氓軟體

此時 病毒主程式已經清理完畢

下面清理下載的木馬和流氓軟體

注意：由於病毒下載的木馬和流氓軟體各異，所以此清除辦法僅供參考

首先 需要下載http://www.i170.com/attach/92EB2ED9-6D11-441D-8A28-2A9B08F0452E Xdelbox1.3這個軟體

然後重啟計算機 進入安全模式(開機後不斷 按F8鍵 然後出來一個高級選單 選擇第一項 安全模式 進入系統)

打開sreng

“啟動項目”-“服務”-“Win32服務應用程式”中點“隱藏經認證的微軟項目”，

選中以下項目，點“刪除服務”，再點“設定”，在彈出的框中點“否”：

Windows dcwd RunThem / dcwd

Fax 2Client / ms_2fax

在“啟動項目”-“服務”-“驅動程式”中點“隱藏經認證的微軟項目”，

選中以下項目，點“刪除服務”，再點“設定”，在彈出的框中點“否”：

acpidisk / acpidisk

kz0q8id6 / kz0q8id6

系統修復－瀏覽器載入項－找到如下項目 點擊刪除項目，在彈出的對話框中點“是”

[ff Class]

{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\b601.dll, TODO: <公司名>>

雙擊我的電腦，工具，資料夾選項，查看，單擊選取"顯示隱藏檔案或資料夾" 並清除"隱藏受保護的作業系統檔案（推薦）"前面的鉤。在提示確定更改時，單擊

“是” 然後確定

點擊 選單欄下方的 資料夾按鈕（搜尋右邊的按鈕）

從左邊的資源管理器 進入C糟

刪除如下檔案

C:\Program Files\yxry資料夾

C:\WINDOWS\system32\1b1.dll

C:\WINDOWS\system32\60e41.exe

C:\WINDOWS\system32\ad_2201.exe

C:\WINDOWS\system32\b601.dll

C:\WINDOWS\system32\mprmsgse.axz

C:\WINDOWS\system32\mscpx32r.det

C:\WINDOWS\031.bmp

C:\WINDOWS\3fa1.exe

C:\WINDOWS\716dairx.exe

C:\WINDOWS\716daiwm.exe

C:\WINDOWS\716daiwow.exe

C:\WINDOWS\716daizx.exe

C:\WINDOWS\716dgj.exe

C:\WINDOWS\716dwl.exe

C:\WINDOWS\ad_2201.exe

C:\WINDOWS\boolan95.exe

C:\WINDOWS\dodolook386.exe

C:\WINDOWS\fa7c1.txt

C:\WINDOWS\kulionrx.dll

C:\WINDOWS\kulionrx.exe

C:\WINDOWS\kulionwl.dll

C:\WINDOWS\kulionwm.dll

C:\WINDOWS\kulionzx.dll

C:\WINDOWS\kulionzx.exe

C:\WINDOWS\my_70087.exe

C:\WINDOWS\video.dll

C:\WINDOWS\winow.dll

C:\WINDOWS\winow.exe

C:\WINDOWS\winwl.exe

C:\WINDOWS\winwm.exe

C:\WINDOWS\wmsj.exe

C:\WINDOWS\齊看網Setup2.exe

C:\Program Files\1AGameSetup.exe

C:\Program Files\2BSetup.exe

C:\WINDOWS\system32\drivers\acpidisk.sys

C:\WINDOWS\system32\drivers\iExplorer.exe

C:\WINDOWS\system32\drivers\kz0q8id6.sys

打開Xdelbox1.3

把下列檔案輸入進去

C:\WINDOWS\system32\drivers\809igndb.sys

C:\WINDOWS\system32\bnkgqpadwh.dll

C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll

添加 然後選中3個檔案 立即重啟執行刪除。

再次重啟後 恭喜你，所有病毒都被幹掉了！